我已经把我的应用程序的web.xml中的以下内容,以尝试不允许PUT,DELETE等:
<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>SEARCH</http-method> <http-method>COPY</http-method> <http-method>MOVE</http-method> <http-method>PROPFIND</http-method> <http-method>PROPPATCH</http-method> <http-method>MKCOL</http-method> <http-method>LOCK</http-method> <http-method>UNLOCK</http-method> <http-method>delete</http-method> <http-method>put</http-method> <http-method>search</http-method> <http-method>copy</http-method> <http-method>move</http-method> <http-method>propfind</http-method> <http-method>proppatch</http-method> <http-method>mkcol</http-method> <http-method>lock</http-method> <http-method>unlock</http-method> </web-resource-collection> <auth-constraint /> </security-constraint> 好吧,现在:
如果我用DELETE方法做一个请求,我得到一个403回来。
如果我用delete方法做一个请求,我得到一个403回来。
但
如果我用DeLeTe方法做一个请求,我就OK了!
我怎样才能让它不允许这些不区分大小写?
编辑:我正在testing它与C#程序:
private void button1_Click(object sender, EventArgs e) { textBox1.Text = "making request"; System.Threading.Thread.Sleep(400); WebRequest req = WebRequest.Create("http://serverurl/Application/cache_test.jsp"); req.Method = txtMethod.Text; try { HttpWebResponse resp = (HttpWebResponse)req.GetResponse(); textBox1.Text = "Status: " + resp.StatusCode; if (resp.StatusCode == System.Net.HttpStatusCode.OK) { WebHeaderCollection header = resp.Headers; using (System.IO.StreamReader reader = new System.IO.StreamReader(resp.GetResponseStream(), ASCIIEncoding.ASCII)) { //string responseText = reader.ReadToEnd(); textBox1.Text += "\r\n" + reader.ReadToEnd(); } } } catch (Exception ex) { textBox1.Text = ex.Message; } }
txtMethod.Text是我input方法名称的文本框。 当有一个403被抛出的exception被catch块捕获时。
cache_test.jsp包含:
<% response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"); response.setHeader("Pragma","no-cache"); out.print("Method used was: "+request.getMethod()); %>
无论Tomcat在HTTP标准方面的行为不正确,您都应该使用白名单来允许特定的方法而不是黑名单。
例如,以下白名单将阻止除区分大小写的 GET和HEAD之外的所有方法。
<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method-omission>GET</http-method-omission> <http-method-omission>HEAD</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
(注意:需要Tomcat 7+,使用旧版本的用户需要研究其他解决scheme,例如servletfilter。)
参考
那么,在一些随机的服务器上,在他们的HTTP回复中持有Server: Apache-Coyotte头部签名的快速testing之后,看起来你是正确的发送get / HTTP/1.1\r\nHost: <target_IP>\r\n\r\n一个简单的netcat连接每次都应该收到一个400 HTTP代码。
例如 :
$ { echo -en "get / HTTP/1.1\r\nHost: <target_IP>:8080\r\n\r\n" ; } | nc <target_IP> 8080 01:14:58.095547 IP 192.168.1.3.57245 > <target_IP>.8080: Flags [P.], seq 1:42, ack 1, win 115, options [nop,nop,TS val 4294788321 ecr 0], length 41 E..]C.@[email protected]....... ..D.....get / HTTP/1.1 Host: <target_IP>:8080 [...] 01:14:58.447946 IP <target_IP>.8080 > 192.168.1.3.57245: Flags [.], seq 1:1409, ack 43, win 65494, options [nop,nop,TS val 7981294 ecr 4294787971], length 1408 E...f...i.....p.............A.............. .y....C.HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Tue, 27 Jan 2015 00:15:14 GMT
我必须说我在这里有点震惊,在这种情况下,看到这种行为扩展到所有HTTP / 1.1方法,我不会感到惊讶。
你应该填写他们的bug跟踪工具的bug报告,并发送邮件到适当的邮件列表,因为这是一个丑陋的违反RFC 2616(见下文),坏的后果。
5.1.1方法
The Method token indicates the method to be performed on the resource identified by the Request-URI. The method is case-sensitive. Method = "OPTIONS" ; Section 9.2 | "GET" ; Section 9.3 | "HEAD" ; Section 9.4 | "POST" ; Section 9.5 | "PUT" ; Section 9.6 | "DELETE" ; Section 9.7 | "TRACE" ; Section 9.8 | "CONNECT" ; Section 9.9 | extension-method extension-method = token